ARIN-PPML Message

[arin-ppml] Whois doesn't violate privacy, people do (was: SWIPs & IPv6)

Hi Milton,

Since you elected once again to ignore (or in this case delete) the  
substantive, policy relevant questions that I posed to you, I decided  
to resend them one more time, under a subject line that better  
illuminates the inconsistency and weakness in your reasoning about  
whois as compared to other real, potential, and imagined threats to  
privacy.

Would still welcome a substantive response or two...

TV

On Dec 5, 2009, at 4:11 PM, Milton L Mueller wrote:

> Thanks, Lee, I will take a look at that. But note that I have been  
> through a similar debate on the DNS side, and the more I learned  
> about the LEA position the more I realized that standard protections  
> and procedures should apply.  Indeed, I have discussed this with  
> several LEAs in Europe who will admit (privately) that they use  
> Whois to avoid legal constraints and that doing so has no  
> justification other than their own convenience and that open access  
> to the information is often abused or leads to abuse by third parties.

The real problem is the act of *misuse* of identifying information,  
and not the legal status or identity of the party misusing it, or the  
particulars of how the misused information was come by. And given  
that, your demand for what boils down to the imposition of prior  
restraint on an essential component of Internet technical coordination  
represents a strange, if predictable, departure from your otherwise  
panglossian insistence that post-facto individual legal remedies are  
always and everywhere sufficient to handle any unfortunate side- 
effects of private market behavior. Why don't you counsel those  
alleging "whois abuse" to simply address their grievances to the  
courts, the same way that you counsel victims of abusive private  
sector practices or the exercise of anticompetitive market power to  
take it to the judge?

 >>> In other words, Whois doesn't violate privacy; the policies and  
administrative practices that sustain whois as a viable mechanism for  
technical coordination don't violate privacy; *people* who misuse  
whois violate privacy. Why should

List members may find the contrast between what you're advocating here  
and what you advocated in the run-up to the privatization of DNS  
illumInating.
In your October 1997 CATO Institute Briefing Paper, "Internet Domain  
Names: Privatization, Competition, and Freedom of Expression," you  
write:
> The Burden of Proof on Applicants for Domain Names
>
> Some people have suggested that domain name applicants be required  
> to demonstrate that they have a basis for requesting a particular  
> domain name. Further questions then arise. What information should  
> be supplied? Who should evaluate the information? What basis or  
> criteria should be used?
>
> Those questions are helpful but need to be reframed. The answers to  
> them can come only from the policies name registries adopt to  
> prevent name speculation and to control the secondary market for  
> names. Name speculation is a form of arbitrage. Speculators attempt  
> to exploit the gap between the price of registering a name and the  
> higher value of that name to some other potential user. Name  
> speculation thus provides a clear signal that the primary  
> distributor of name registrations is not exploiting the full  
> economic value of its name resources.
>
> The best long-term solution to this problem is privatization of name  
> registration and expansion of TLD space. It is in the rational self- 
> interest of commercial registries to manage name resources actively  
> rather than passively. Just as airlines or movie theater owners do  
> not allow aggregators and wholesalers to buy up all available seats  
> and resell them to end users, so it seems unlikely that private,  
> profit-motivated name registries would allow speculators, rather  
> than themselves, to exploit the full economic value of their  
> namespace. As the namespace becomes privatized and commercialized,  
> it seems likely that more active monitoring of who is applying for  
> names and why would take place. Administrative policies such as this  
> are much preferable to intellectual property law as a solution to  
> problems of name speculation.
>
Full text here:
http://www.cato.org/pub_display.php?pub_id=1473&full=1

This little nugget is full of telling observations -- from your unique  
"theory of speculation" to your predictions about how privatization  
and competition would influence the policy-setting behavior of  
commercial domain registries. I'm guessing that you'd still stand by  
these recommendations, even knowing that one consequence of their  
implementation has been the permanent elimination of DNS whois as an  
effective mechanism for inter-domain technical coordination, but feel  
free to surprise me.

Arguably, history has demonstrated that DNS whois was, in fact,  
expendable. However, that's only because the underlying/parallel  
inetnum whois provided a sufficient if not superior mechanism for most  
technical coordination requirements. The whois functions provided by  
the RIRs are different in kind than DNS whois, and for those functions  
there is no plausible substitute -- or at least none that can be  
provided by voluntary private action.

So, for the present discussion, I would highlight the last two  
sentences of this passage, and ask Milton why "administrative  
policies" such as the ones that make inetnum-related whois viable  
should not be preferred over the imposition of legally (i.e.,  
nationally) mandated compulsory address resource registration, which  
is likely to be the only alternative?

I know you're not big on actually answering practical, policy-relevant  
questions in any substantive way. That's your prerogative.
But I'll keep asking them anyway, if only to remind other readers of  
your long-standing disinclination to put any of your own ideas to any  
meaningful, real-world test.

TV


Begin forwarded message:

> From: tvest at eyeconomics.com
> Date: December 3, 2009 3:38:38 PM EST
> To: Milton L Mueller <mueller at syr.edu>
> Cc: "arin-ppml at arin.net (arin-ppml at arin.net)" <arin-ppml at arin.net>
> Subject: Re: [arin-ppml] SWIPs & IPv6
>
>
> On Dec 3, 2009, at 3:15 PM, Milton L Mueller wrote:
>
>> Tom,
>> there's a logical fallacy in your attempt to avoid the drivers  
>> license (DL) analogy: you have assumed that defeating the analogy  
>> justifies the existing system, in which anyone has access to  
>> potentially sensitive contact information.
>
> Hi Milton,
>
> Is there some reason that you ignored the questions in the message  
> that I sent *before* I responded to Chris' driver's license analogy?  
> It seems to have founds its way safely to the ppml archive:
>
> http://lists.arin.net/pipermail/arin-ppml/2009-December/015680.html
>
> On the outside chance that you didn't receive the message, I've  
> copied it again below.
>
> I'm assuming here that you're not planning to "defeat" my questions  
> by simply ignoring them...?
> I think that defeating them in the more conventional way (i.e., by  
> answering them) would be more constructive.
>
> As you may note, the questions that I posed to you have nothing in  
> particular to do with specific institutions, past, present, or  
> imaginary. They have to do with properly defined functions of an  
> Internet protocol number resource registry, and the source(s) of  
> incentives and disincentives that might make it possible for a  
> properly functioning registry to be sustainable over time (a) based  
> solely on voluntary participation, and/or (b) in an environment of  
> competitive registration service delivery.
>
> I look forward to your responses.
>
> TV
>
>
>>> Tom:
>>>
>>> Privacy norms, standards and laws are well known and not that hard  
>>> to apply to this case.
>>> Here is a link to a boilerplate explanation of basic data  
>>> protection principles:
>>> http://www.recordsmanagement.ed.ac.uk/InfoStaff/DPstaff/DPPrinciples.htm
>>> Respectful suggestion: do some homework on how this issue gets  
>>> handled before wading into a policy arena with global human rights  
>>> implications.
>>
>> Hi Milton,
>>
>> Thanks for the respectful suggestion. I will take it under  
>> advisement.
>>
>> However, I would respectfully suggest that providing more  
>> substantive answers here would be useful both to you (if your goal  
>> is, in fact, to help inform number resource policies), as well as  
>> to those list members who are not likely to go off and do a lot of  
>> homework on this issue.
>>
>>>> 1. Would you say that the proper balance between these two opposing
>>>> goals is reflected in current DNS whois arrangements?
>>>
>>> Absolutely not. (And you know perfectly well that I've answered  
>>> this question, not only on this list, but in lengthy scholarly  
>>> articles, and in years of work on DNS Whois Working Groups and  
>>> Task Forces.)
>>>
>>> It would be very easy for DNS Whois to contain the requisite  
>>> technical information needed for both law enforcement and  
>>> technical management without providing indiscriminate public  
>>> access to anyone and everyone, for any purpose.
>>
>> Okay, in that case I call:
>>
>> 1. Could you suggest how, exactly, a registration/whois system can  
>> be both very accurate, very reliable, and very easy for technical  
>> administrators to access (when justified) for real-time network  
>> management requirements*, while at the same time satisfying the the  
>> legitimate* privacy concerns of the individuals and institutions  
>> who are represented in that registration data?
>>
>> 2. Could you also suggest how those conditions that are accurately  
>> deemed to be legitimate*, required*, etc. by both groups might be  
>> sustained over time? Specifically, if revelation of whois  
>> inaccuracies is generally only possible as a result of outages or  
>> other "events" that require technical administrator action, and  
>> discovery of correct whois information in such cases is generally  
>> only possible through legal mechanisms (warrants, subpoenas,  
>> lawsuits, registry disaccreditations, etc.) which do not operate at  
>> time scales that are consistent with real-time network management,  
>> what method(s) would you propose for reconciling this critical  
>> mismatch?
>>
>> 3. Finally (and if appropriate), could you also suggest how those  
>> conditions might be preserved in an environment of competitive  
>> commercial provision of registration and whois services?  
>> Specifically, what mechanisms would you recommend to encourage  
>> registration and whois service providers to maintain the proper  
>> level of investment in and ongoing support for this secondary, non  
>> profit-making function? What mechanisms would you advocate to  
>> assure that individual commercial registration and whois service  
>> providers resist the temptation to differentiate themselves by  
>> cutting their whois-related support and/or by relaxing their whois- 
>> related customer requirements?
>>
>> Since (3) presumes that you advocate the competitive provision of  
>> registration and whois services, with at least some competitors  
>> being private/not-governmental entities, please disregard this  
>> question if this presumption is inaccurate.
>>
>>> The only reason this doesn't happen: DNS Whois arrangements have  
>>> been hijacked by trademark protection firms, LEAs too lazy to get  
>>> the proper authorizations, and by companies that collect and sell  
>>> the data for various and sundry purposes. See data protection  
>>> principle #2 for my opinion about that.
>>
>> If I'm interpreting your reference correctly, data protection  
>> principle #2 reads:
>> "Personal data shall be obtained only for one or more specified and  
>> lawful purposes, and shall not be further processed in any manner  
>> incompatible with that purpose or those purposes."
>>
>> If we stipulate for the moment that we're only talking about  
>> protocol number whois as used for legitimate technical  
>> administrative purposes that are consistent with the law, then the  
>> relevance of data protection principle #2 is still ambiguous. One  
>> justification for open public whois is that public scrutiny  
>> provides a kind of continuous distributed error detection and  
>> correction mechanism, which helps to maintain whois completeness  
>> and accuracy in between those critical moments when technical- 
>> administrative action is both legal and justified -- and at which  
>> points the belated discovery of whois inaccuracies can have the  
>> most adverse consequences.
>>
>> Is it your view that the very existence and/or maintenance of  
>> accurate personal data should be subject to a different, higher  
>> standard than the standard suggested by data protection principle #2?
>>
>>>> 2. Are the "legitimate privacy concerns" of artificial
>>>> persons (i.e.,
>>>> corporations) different from the "legitimate privacy concerns" of
>>>> natural persons?
>>>
>>> Sigh. Overlooking your complete ignorance of applicable law, I  
>>> will simply answer yes.
>>> The distinction is well-established in law, not to mention common  
>>> sense. Yes, Tom, there are differences between the privacy rights  
>>> and legal norms applicable to publicly registered corporate  
>>> entities and flesh and blood persons and their homes and personal  
>>> property.
>>
>> Ignoring the insult, I'll just observe again that a less clever but  
>> more substantive response would have probably been more useful, to  
>> you and everyone else.
>>
>>>> If so, how -- and how should the differences be
>>>> reflected in rotocol number-related registration data and whois?
>>>
>>> Yes, of course the differences should be reflected. How? Not that  
>>> hard, but as I said in my last message, let's debate specific  
>>> arrangements and proposals, not ideology.
>>
>> Excellent. Here's your chance to debate specifics.
>>
>> It's good to know that it won't be that hard...
>>
>> Thanks,
>>
>> TV